Samsung Pay Is Less Secure than Apple and PayPal

I sometimes forget while traveling the trade show circuit that I’m seeing things before they come out. Being a pirate on top of this, I just forget release dates of everything. It wasn’t until this morning I started hearing chatter about Samsung Pay being released and I remembered I never wrote up what I learned from that demo at CTIA Super Mobility Week.

Samsung Pay is some scary technology…

Samsung Pay is insecure…

Exploring Personal Finance in the Tech Sector

First, here’s a little background on how this came to be. As a bank whistleblower, I was blacklisted from the banking industry. Now, instead I use PayPal and Google Wallet. I own an iPhone 5s and generic pay-as-you-go Galaxy. I also write about tech, business, and finance for a variety of blogs.

In the course of doing business, I had a chance to interview (via email, of course) execs from PayPal during their departure from Ebay. I also toured Samsung’s product lines at Super Mobility Week. In putting everything together, I noticed Samsung Pay actually works different than PayPal and Apple, and I don’t know if that’s a good thing.

It’s Not Just for Android

On the surface, Samsung Pay is an app that stores credit/debit cards just like Google Wallet, Apple Pay, PayPal, and every other service. What Samsung claims to be the main difference that makes Samsung Pay stand apart from the crowd is that it doesn’t require the NFC readers these other solutions do.

MST technology generates changing magnetic fields over a very short period of time. This is accomplished by putting alternating current through an inductive loop, which can then be received by the magnetic read head of the credit card reader. The signal received from the device emulates the same magnetic field change as a mag stripe card when swiped across the same read head. LoopPay works within a 3-inch distance from the read head. The field dissipates rapidly beyond that point, and only exists during a transmission initiated by the user.

So basically, this technology will work on any magnetic card reader where you swipe your card (convenience stores, grocery, casino ATM’s, etc.), but not on card readers where the card is fed into the machine (gas station pumps, bank ATM’s, etc.). While these two technologies appear to be doing the same thing to the naked eye, the operation is very different.

It’s Not New or Unique

Another point worth mentioning from LoopPay’s website is that LoopPay as an app is available for both Android and iOS (starting with iPhone 5s), so this technology has been around for a few years on the consumer market already (albeit through a secondary device plugged in through the audio jack on incompatible phones).

It’s been featured in a variety of publications that are splattered across the homepage.

This is nothing new…

What Samsung Pay (MST technology) is doing is cloning your debit card information. When I was growing up, this was considered piracy because it enables you do to things like John Conner did with the ATM in Terminator 2.

It also allows Samsung to bypass all the restrictions Apple and Google faced by having to deal with retailers.

For Google Wallet and Apple Pay to work, the companies must convince retailers to convert their POS equipment to accept NFC communications. Samsung doesn’t have to do that, but it comes at the cost of being an unsecure method of payment.

LoopPay Fiasco

The inner workings behind debit and credit transactions aren’t worth delving too far into here, but when you look at your receipt, you’ll see hints of transaction codes being used for authorizations. This is how your account balances are verified and is a form of encryption.

After initially seeing the Samsung rep wave the phone over the card reader, they continued their pitch and stated if you’re in an area with bad reception, there are 10 authorization codes stored on your phone.

I asked what the technology was behind that, and he wouldn’t tell me. He jokingly referred to it as “magic,” so I jokingly asked what would happen if I flipped my phone into airplane mode and started accessing those 10 authorization codes. Both reps shut up almost instantly and tried changing the subject.

About a week later, I posited the question on the 2600 Hacker Quarterly Facebook page, where all magic can be revealed if you know what questions to ask. That’s where I was pointed in the direction of LoopPay.

So, while it’s cool that Samsung Pay launched, don’t listen to these ridiculous reviews from Fortune and WSJ that were clearly either paid for or terribly researched. This is ancient tech that’s using loopholes to gain marketshare at the expense of everyone’s security.

Anything LoopPay is basically to mobile banking what the black box was to analog cable TV. It’s a pirate’s dream. I’d stock up on these if I were a pirate, hacker, troll, or general tech enthusiast…

Brian Penny is a former business analyst and operations manager at Bank of America turned whistleblower, troll, and freelance writer. His work has appeared in High Times, Huffington Post, Fast Company, Hardcore Droid, Intuit’s Small Business Resource, and Main Street.